b'  Federal Communications Commission\n       Office of Inspector General\n\n\n\n\nFY 2004 Federal Information Security Management Act\n          (FISMA) Independent Evaluation\n\n\n                    October 6, 2004\n\x0c                  TABLE OF CONTENTS\n\n                                                           Page\n\n\nSUMMARY                                                      2\n\nAPPENDIX A   OIG Responses to OMB Memorandum M-04-25       A-1\n             Federal Information Security Management Act\n             (FISMA) Reporting Questions\n\nAPPENDIX B   FY 2004 FISMA Independent Evaluation and      B-1\n             Risk Assessment (Audit Report No.\n             04-AUD-06-08)\n\nAPPENDIX C   FY 2003 Audit of Revenue Accounting &         C-1\n             Management Information System (RAMIS)\n             Application Controls (Audit Report No.\n             03-AUD-01-01)\n\nAPPENDIX D   FY 2003 FISMA Independent Evaluation and      D-1\n             Risk Assessment (Audit Report No.\n             03-AUD-06-09)\n\nAPPENDIX E   FY 2004 Disaster Recovery Plan Survey         E-1\n             (Audit Report No. 03-AUD-12-27).\n\n\n\n\n                                                                  1\n\x0c                              Summary\nThe Federal Information Security Management Act (\xe2\x80\x98FISMA\xe2\x80\x99 or \xe2\x80\x98the Act\xe2\x80\x99) was signed into law\non December 17, 2002 as Title III, \xe2\x80\x9cInformation Security,\xe2\x80\x9d of the E-Government Act of 2002.\nThe Act permanently re-authorizes the framework established by the Government Information\nSecurity Reform Act (GISRA), which expired in November 2002.\n\nFISMA requires all federal agency heads to transmit to the Office of Management and Budget\n(OMB) an annual agency report consisting of separate components prepared by the agency Chief\nInformation Officer (CIO) and the Office of Inspector General (IG). A key provision of the Act\nalso requires that the agency IG, or independent evaluators designated by the IG, perform an\nannual independent evaluation of the agency\xe2\x80\x99s information security program and practices. For\nfiscal year (FY) 2004, the Federal Communications Commission\xe2\x80\x99s (\xe2\x80\x9cCommission\xe2\x80\x9d or \xe2\x80\x9cFCC\xe2\x80\x9d) IG\nengaged KPMG, LLP to conduct its independent evaluation.\n\nThe overall objective of the FISMA independent evaluation was to evaluate the effectiveness of\nthe Commission\xe2\x80\x99s information security program. Generally, we found the Commission\xe2\x80\x99s\ninformation technology security to be effective. We used the National Institute of Standards and\nTechnology (NIST) \xe2\x80\x9cSelf-Assessment Guide for Information Technology Systems (Self-\nAssessment Guide 800-26)\xe2\x80\x9d as a basis for our methodology to assess the risk for each component\nof the FCC\xe2\x80\x99s program. As applicable, additional guidance was received from methodology\nprovided in the Federal Information Systems Control Audit Manual (FISCAM), as well as other\nlaws and directives related to management and protection of Federal information resources.\n\nOMB Memoranda M-04-25 dated August 23, 2004 entitled, \xe2\x80\x9cFY 2004 Reporting Instructions for\nthe Federal Information Security Management Act\xe2\x80\x9d was followed to perform and report the\nresults of our independent evaluation. Appendix A provides the IG\xe2\x80\x99s responses to OMB\xe2\x80\x99s\nquestions that address high-level performance measures of the FCC\xe2\x80\x99s information security\nprogram and practices. Appendix B provides the final report for our FY 2004 FISMA\nIndependent Evaluation and Risk Assessment (Audit Report No. 04-AUD-06-08).\n\nFISMA also requires that IGs select an appropriate subset of business applications for\nindependent review. The results of our FY 2003 Audit of Revenue Accounting and Management\nInformation System (RAMIS) Application Controls (Audit Report No. 03-AUD-01-01), included\nas Appendix C, satisfies this requirement. Appendix D is the report on the FY 2003 FISMA\nIndependent Evaluation and Risk Assessment (Audit Report No. 03-AUD-06-09). Appendix E\nforwards the final memo on our Disaster Recovery Plan Survey (Audit Report No. 03-AUD-12-\n27).\n\n\n\n\n                                                                                              2\n\x0c                    APPENDIX A\n\n\n\n\nFY 2004 Federal Information Security Management Act\n          (FISMA) Independent Evaluation\n\n\n\n\nFederal Communications Commission - Office of Inspector General\n\n Responses to OMB Memorandum M-04-25 FY 2004 FISMA\n                  Reporting Questions\n\x0c                             2004 FISMA Report\nAgency:                        Federal Communications Commission\n\n\nDate Submitted:        10/6/2004\n\nSubmitted By:          OIG\n\nContact Information:\n           Name:       Walker Feaster\n           E-mail:     walker.feaster@fcc.gov\n           Phone:      (202) 418-0476\n\x0cSection A: System Inventory and IT Security Performance\nNOTE: ALL of Section A should be completed by BOTH the Agency CIO and the OIG.\n\n\n\n   A.1. By bureau (or major agency operating component), identify the total number of programs and systems in the agency and the total number of contractor operations or facilities. The agency CIOs\n   and IG\'s shall each identify the total number that they reviewed as part of this evaluation in FY04. NIST 800-26, is to be used as guidance for these reviews.\n\n\n\n\n   A.2. For each part of this question, identify actual performance in FY04 for the total number of systems by bureau (or major agency operating component) in the format provided below.\n\n\n                                                                   A.1                                                                                        A.2\n\n                                          A.1.a.               A.1.b.               A.1.c.                A.2.a.                  A.2.b.                 A.2.c.                   A.2.d.                A.2.e.\n\n                                    FY04 Programs          FY04 Systems        FY04 Contractor          Number of               Number of               Number of      Number of systems     Number of\n                                                                                Operations or        systems certified        systems with          systems for which with a contingency systems for which\n                                                                                  Facilities          and accredited         security control        security controls        plan       contingency plans\n                                                                                                                             costs integrated        have been tested                     have been tested\n                                                                                                                            into the life cycle      and evaluated in\n                                                                                                                              of the system            the last year\n\n\n\n                                    Total  Number          Total     Number   Total       Number      Total   Percent of     Total    Percent of     Total      Percent of    Total   Percent of    Total Percent of\n         Bureau Name               Number Reviewed        Number    Reviewed Number      Reviewed    Number     Total       Number      Total       Number        Total      Number     Total      Number   Total\n  Federal Communications\n  Commission                              1           1       19          19         5           0       19        100.0%        19        100.0%        19         100.0%        6        31.6%         6       31.6%\nAgency Total                              1          1        19         19         5           0        19     100.0%          19      100.0%          19          100.0%        6        31.6%        6        31.6%\n\nComments:\nA.1.c - The total number of contractor operations or facilities in FY 2004 is based on external contract entities that process FCC data at an offsite location. This total includes Digital Systems Group,\nMellon Bank, JP Morgan/Chase Bank, The National Finance Center, and The National Business Center.\n\nA.2.d - The total number of systems with a contingency plan in FY 2004 includes the FCCNET network environment, the Access Control System, as well as the Commission\'s internal supporting\ninfrastructure for FFS and FPPS, which is identified in the FCC Information Technology Disaster Recover Plan. Also included within this total is the Wireless Telecommunication Bureau Auctions\nNetwork and Automated Auctions System, which are noted in the Auction Continuity of Operations Plan.\n\x0c                                                                                                     A.3\n\n\n   A.3. Evaluate the degree to which the following statements reflect the status in your agency, by choosing from the responses provided in the drop down menu. If appropriate or necessary, include\n   comments in the Comment area provided below.\n\n\n                                                                Statement                                                                                         Evaluation\n\n\n        a. Agency program officials and the agency CIO have used appropriate methods to ensure that contractor provided services or\n        services provided by another agency for their program and systems are adequately secure and meet the requirements of                         Almost Always, or 96-100% of the time\n        FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n\n        b. The reviews of programs, systems, and contractor operations or facilities, identified above, were conducted using the NIST\n                                                                                                                                                          Mostly, or 81-95% of the time\n        self-assessment guide, 800-26.\n\n\n\n        c. In instances where the NIST self-assessment guide was not used to conduct reviews, the alternative methodology used\n                                                                                                                                                          Rarely, or 0-50% of the time\n        addressed all elements of the NIST guide.\n\n\n\n        d. The agency maintains an inventory of major IT systems and this inventory is updated at least annually.                                    Almost Always, or 96-100% of the time\n\n\n\n        e. The OIG was included in the development and verification of the agency\xe2\x80\x99s IT system inventory.                                             Almost Always, or 96-100% of the time\n\n\n\n        f. The OIG and the CIO agree on the total number of programs, systems, and contractor operations or facilities.                              Almost Always, or 96-100% of the time\n\n\n        g. The agency CIO reviews and concurs with the major IT investment decisions of bureaus (or major operating components)\n                                                                                                                                                     Almost Always, or 96-100% of the time\n        within the agency.\n\n                                                                Statement                                                                                          Yes or No\n\n\n        h. The agency has begun to assess systems for e-authentication risk.                                                                                          Yes\n\n\n        i. The agency has appointed a senior agency information security officer that reports directly to the CIO.                                                    Yes\n\n\nComments:\nItem A - Each agency or contractor that provides a service to the Commission is required, by contract, to follow the guidance outlined by FCC Directive FCCINST 1479.2 and to review and\nsign a copy of the FCC Rules of Behavior. These documents establish security requirements for all FCC systems.\n\nItem B - Onsite reviews of three of the contractor facilities that house FCC major application where not performed during FY 2004.\n\nItem C - The Computer Security Program did not use any methodology other than the NIST self-assessment guide to conduct reviews during the fiscal year.\n\x0cSection B: Identification of Significant Deficiencies\nNOTE: ALL of Section B should be completed by BOTH the Agency CIO and the OIG.\n\n\n   B.1. By bureau, identify all FY 04 significant deficiencies in policies, procedures, or practices required to be reported under existing law. Describe each on a separate row,\n   and identify which are repeated from FY03. In addition, for each significant deficiency, indicate whether a POA&M has been developed. Insert rows as needed.\n\n\n                                                                                      B.1.\n                                                                                              FY04 Significant Deficiencies\n\n\n\n\n                                                         Total Number                                                                                              POA&M\n                                               Total       Repeated                                                                                              developed?\n             Bureau Name                      Number      from FY03                      Identify and Describe Each Significant Deficiency                        Yes or No\n\n\n                                                                         1. Compliance with OMB Circular No. A-130 Requirements for a\nFederal Communications Commission                2              2        Comprehensive Security Plan (Modified Repeat Condition)                               Yes\n                                                                         2. Accelerate Efforts to Develop and Test FCC\'s Contigency Plans (Modified\n                                                                         Repeat Condition).                                                         Yes\nAgency Total                                     2              2\n\nComments:\n\x0cSection C: OIG Assessment of the POA&M Process\nNOTE: Section C should *ONLY* be completed by the OIG. The CIO should leave this section blank.\n\n   C.1. Through this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency-wide plan of\n   action and milestone (POA&M) process. This question is for IGs only. Evaluate the degree to which the following statements reflect the status in your agency by\n   choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the Comment area provided below.\n\n                                                                                  C.1\n                                                 Statement                                                                       Evaluation\n\n        a. Known IT security weaknesses, from all components, are incorporated into the POA&M.                Almost Always, or 96-100% of the time\n\n        b. Program officials develop, implement, and manage POA&Ms for systems they own and\n                                                                                                              Almost Always, or 96-100% of the time\n        operate (systems that support their program or programs) that have an IT security weakness.\n\n        c. Program officials report to the CIO on a regular basis (at least quarterly) on their remediation\n                                                                                                              Almost Always, or 96-100% of the time\n        progress.\n\n        d. CIO develops, implements, and manages POA&Ms for every system they own and operate (a\n                                                                                                              Almost Always, or 96-100% of the time\n        system that supports their program or programs) that has an IT security weakness.\n\n        e. CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.       Almost Always, or 96-100% of the time\n\n        f. The POA&M is the authoritative agency and IG management tool to identify and monitor agency\n                                                                                                              Almost Always, or 96-100% of the time\n        actions for correcting information and IT security weaknesses.\n        g. System-level POA&Ms are tied directly to the system budget request through the IT business\n                                                                                                              Almost Always, or 96-100% of the time\n        case as required in OMB budget guidance (Circular A-11).\n\n        h. OIG has access to POA&Ms as requested.                                                             Almost Always, or 96-100% of the time\n\n        i. OIG findings are incorporated into the POA&M process.                                              Almost Always, or 96-100% of the time\n\n        j. POA&M process prioritizes IT security weaknesses to help ensure that significant IT security\n                                                                                                              Rarely, or 0-50% of the time\n        weaknesses are addressed in a timely manner and receive appropriate resources.\n\n\nComments:\n\nRegarding Item J - Agency POA&Ms are not being prioritized to identify significant IT security weaknesses.\n\x0cC.1 OIG Assessment of the Certification and Accreditation Process\nSection C should only be completed by the OIG. OMB is requesting IGs to assess the agency\xe2\x80\x99s certification and accreditation process in\norder to provide a qualitative assessment of this critical activity. This assessment should consider the quality of the Agency\xe2\x80\x99s certification and\naccreditation process. Any new certification and accreditation work initiated after completion of NIST Special Publication 800-37 should be\nconsistent with NIST Special Publication 800-37. This includes use of the FIPS 199, \xe2\x80\x9cStandards for Security Categorization of Federal\nInformation and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as guidance for completing\nrisk assessments and security plans. Earlier NIST guidance is applicable to any certification and accreditation work completed or initiated\nbefore finalization of NIST Special Publication 800-37. Agencies were not expected to use NIST Special Publication 800-37 as guidance\nbefore it became final.\n\n\n                                    Statement                                                                  Evaluation\n     Assess the overall quality of the Agency\'s certification and accreditation\n     process.\n\n     Comments: The FCC\xe2\x80\x99s Information Technology Center\xe2\x80\x99s Computer Security\n     Program (CSP) uses the guidance provided in NIST Special Publication 800-37\n     as the primary basis for its certification and accreditation methodology. The\n     methodology also incorporates NIST Special Publication 800-26 for additional\n     guidance. Prior to the final release of NIST Special Publication 800-37, the\n     CSP was utilizing NIST Special Publication 800-26, FIPS 199, as well as the\n     draft NIST Special Publication 800-37 for guidance in the FCC certification and\n     accreditation process.                                                                Excellent\n\n     At the close of FY 2004, all of the FCC\xe2\x80\x99s major applications and general\n     support systems had been certified to operate on the network. To date, five (5)\n     of the FCC\xe2\x80\x99s nineteen (19) major applications and general support systems,\n     including the Equipment Authorization System, the Experimental Licensing\n     Systems, and the Universal Licensing System have been certified to operate\n     using the finalized NIST Special Publication 800-37.\n\x0cWe reviewed all C&A packages during our FISMA independent evaluation and\nrisk assessment. We noted that the FCC\xe2\x80\x99s process relies on a relatively high\nlevel of technical expertise to test system controls and ensure that risks posed\nby major applications and or general support systems are identified and\nproperly mitigated. To ensure that risks are adequately identified, the process\nincludes security testing consisting of vulnerability assessments and\npenetration tests. During security testing, the CSP used various automated\ntools to identify security weaknesses. This testing yielded a number of\nsignificant technical issues including those associated with patch management,\noperating system configuration, and database audit settings. We noted that all\nfindings were properly communicated to system owners and either resolved\nduring the certification and accreditation process or, depending of the level of\nrisk associated, agreed to be resolved in the near future. This was evident in\nthe certification and accreditation statements for the Equipment Authorization\nSystem, the Auctions Network, and the\n International Bureau Filing System.\n\x0cSection D\nNOTE: ALL of Section D should be completed by BOTH the Agency CIO and the OIG.\n\n   D.1. First, answer D.1. If the answer is yes, then proceed. If no, then skip to Section E. For D.1.a-f, identify whether agencywide security configuration\n   requirements address each listed application or operating system (Yes, No, or Not Applicable), and then evaluate the degree to which these configurations are\n   implemented on applicable systems. For example: If your agency has a total of 200 systems, and 100 of those systems are running Windows 2000, the universe\n   for evaluation of degree would be 100 systems. If 61 of those 100 systems follow configuration requirement policies, and the configuration controls are\n   implemented, the answer would reflect "yes" and "51-70%". If appropriate or necessary, include comments in the Comment area provided below.\n\n\n   D.2. Answer Yes or No, and then evaluate the degree to which the configuration requirements address the patching of security vulnerabilities. If appropriate or\n   necessary, include comments in the Comment area provided below.\n\n                                                                              D.1. & D.2.                                           D.1.                 D.2.\n                                                                                                                                   Yes,\n                                                                                                                                  No, or\n                                                                                                                                   N/A               Evaluation\nD.1. Has the CIO implemented agencywide policies that require detailed specific security configurations and what is the\ndegree by which the configurations are implemented?\n\n                 a. Windows XP Professional\n                                                                                                                                    N/A\n                 b. Windows NT\n                                                                                                                                    N/A\n                                                                                                                                               Almost Always, or 96-100%\n                 c. Windows 2000 Professional\n                                                                                                                                    Yes        of the time\n\n                 d. Windows 2000\n                                                                                                                                    N/A\n                                                                                                                                               Almost Always, or 96-100%\n                 e. Windows 2000 Server\n                                                                                                                                    Yes        of the time\n\n                 f. Windows 2003 Server\n                                                                                                                                    N/A\n                                                                                                                                               Almost Always, or 96-100%\n                 g. Solaris\n                                                                                                                                    Yes        of the time\n\n                 h. HP-UX\n                                                                                                                                    N/A\n\n                 i. Linux\n                                                                                                                                    N/A\n                                                                                                                                               Rarely, or 0-50% of the\n                 j. Cisco Router IOS\n                                                                                                                                    No         time\n                                                                                                                                               Rarely, or 0-50% of the\n                 k. Oracle\n                                                                                                                                    No         time\n                                                                                                                                               Rarely, or 0-50% of the\n                 l. Other. Specify: Silicon Graphics IRIX                                                                           No         time\n                                                                                                                                  Yes or\n                                                                                                                                                     Evaluation\n                                                                                                                                   No\n                                                                                                                                               Almost Always, or 96-100%\n        D.2. Do the configuration requirements implemented above in D.1.a-f., address patching of security vulnerabilities?\n                                                                                                                                    Yes        of the time\n\nComments:\nItem J - Cisco does not provide patches for the IOS. All vulnerabilities are mitigated and/or corrected via upgrades of the IOS Software\nItem I - The Linux operating system is present within the FCC\'s environment, however its use is limited to application testing purposes.\nItem K - The FCC Financial Operations Group also manages an Oracle Data Warehouse that serves as a repository of Federal Financial System (FFS) data. However, this system\nis not considered a major application and is not managed under the Office of the Chief Information Officer. As such, it is not included in this listing.\nItem K and L - These platforms are managed by an external contractor and are not connected directly to the internal FCC network environment. However, the contractor has not\ndeveloped a configuration guide for either the Oracle or IRIX platforms.\n\x0cSection E: Incident Detection and Handling Procedures\nNOTE: ALL of Section E should be completed by BOTH the Agency CIO and the OIG.\n\n\n  E.1. Evaluate the degree to which the following statements reflect the status at your agency. If appropriate or necessary, include comments in the Comment area provided\n  below.\n\n                                                                                        E.1\n\n                                                         Statement                                                                                   Evaluation\n\n\n                a. The agency follows documented policies and procedures for reporting incidents internally.                         Almost Always, or 96-100% of the time\n\n                b. The agency follows documented policies and procedures for external reporting to law enforcement\n                                                                                                                                     Almost Always, or 96-100% of the time\n                authorities.\n                c. The agency follows defined procedures for reporting to the United States Computer Emergency Readiness\n                                                                                                                                     Almost Always, or 96-100% of the time\n                Team (US-CERT). http://www.us-cert.gov\n                                                                                       E.2.\n  E.2. Incident Detection Capabilities.\n                                                                                                                                         Number of     Percentage of\n                                                                                                                                          Systems      Total Systems\n                        a. How many systems underwent vulnerability scans and penetration tests in FY04?                                    11               58%\n                        b. Specifically, what tools, techniques, technologies, etc., does the agency use to mitigate IT security risk?\n                                 Answer:\n                                 The FCC Information Technology Center utilizes various hardware and software based solutions to mitigate IT security risks both\n                                 internal and external to the Commission. Cisco PIX and Checkpoint firewalls control and monitor traffic entering and exiting the FCC\'s\n                                 network environment. Also utilized are network segmentation and layering, controlled network routing, host and network-based virus\n                                 protection software, system log monitoring and alert monitoring. The FCC ITC also implemented various intrusion detection solutions,\n                                 including ISS RealSecure and TripWire. Lastly, the FCC ITC Computer Security Program (CSP) conducts periodic security tests and\n                                 evaluations to identify and mitigate risks.\n\n\nComments:\n\x0cSection G: Training\nNOTE: ALL of Section G should be completed by BOTH the Agency CIO and the OIG.\n\n\n   G.1. Has the agency CIO ensured security training and awareness of all employees, including contractors and those employees with significant IT security\n   responsibilities? If appropriate or necessary, include comments in the Comment area provided below.\n                                                                               G.1.\n     G.1.a.                   G.1.b.                    G.1.c.                 G.1.d.                              G.1.e.                              G.1.f.\n\nTotal number of Employees that received IT Total number of Employees with significant                 Briefly describe training provided           Total costs for\n employees in security awareness training in employees with security responsibilities that                                                          providing IT\n     FY04       FY04, as described in NIST    significant IT received specialized training,                                                      security training in\n                Special Publication 800-50       security     as described in NIST Special                                                              FY04\n                                             responsibilities Publications 800-50 and 800-                                                            (in $\'s)\n                                                                           16\n\n\n\n\n                     Number        Percentage                         Number       Percentage\n\n                                                                                                - FCC\'s Top 10 SANS Vulnerabilities\n                                                                                                - IT DRP Overview and Training\n                                                                                                - CRC Computer Security (CS) Training\n                                                                                                - New Staff CS Orientation Training\n     2443             2443             100%               75            40              53%                                                         $159,055.37\n                                                                                                - Monthly CS Notices\n                                                                                                - CS Alerts and Advisories\n                                                                                                - Other Specialized IT Security Training\n                                                                                                - Other Ad-hoc Security Briefings\n                                                                               G.2.\n                                                                             Yes or No\n   a. Does the agency explain policies regarding peer-to-peer\n   file sharing in IT security awareness training, ethics training,             Yes\n   or any other agency wide training?\n                                                                   Yes            No\nComments:\nThe total number of employees in field G.1.a is the sum of the total number of full time employees (2016) and total number of contractors with\nnetwork access (427).\n\x0cSection F: Incident Reporting and Analysis\nNOTE: ALL of Section F should be completed by BOTH the Agency CIO and the OIG.\n\n   F.1. For each category of incident listed: identify the total number of successful incidents in FY04, the number of incidents reported to US-CERT, and the\n   number reported to law enforcement. If your agency considers another category of incident type to be high priority, include this information in category VII,\n   "Other". If appropriate or necessary, include comments in the Comment area provided below\n   F.2. Identify the number of systems affected by each category of incident in FY04. If appropriate or necessary, include comments in the Comment area\n   provided below.\n                                                                          F.1., F.2. & F.3.\n                                                                                   F.1.                                                   F.2.\n                                                                     Number of Incidents, by category:                 Number of systems affected, by category, on:\n\n\n\n                                                                    F.1.a             F.1.b.         F.1.c.              F.2.a.          F.2.b.            F.2.c.\n                                                                 Reported         Reported to US- Reported to       Systems with Systems without        How many\n                                                                 internally           CERT            law          complete and up- complete and up-    successful\n                                                                                                  enforcement        to-date C&A      to-date C&A incidents occurred\n                                                                                                                                                         for known\n                                                                                                                                                     vulnerabilities for\n                                                                                                                                                     which a patch was\n                                                                                                                                                         available?\n\n\n\n                                                                                                                     Number of        Number of          Number of\n                                                                Number of          Number of       Number of          Systems          Systems            Systems\n                                                                Incidents          Incidents       Incidents          Affected         Affected           Affected\n     I. Root Compromise                                                       0                0               0                  0                0                  0\n     II. User Compromise                                                      1                0               0                  0                0                  0\n     III. Denial of Service Attack                                            0                0               0                  0                0                  0\n     IV. Website Defacement                                                   0                0               0                  0                0                  0\n     V. Detection of Malicious Logic                                          0                0               0                  0                0                  0\n     VI. Sucessful Virus/worm Introduction                                    1                0               0                  0                0                  0\n     VII. Other                                                               2                0               0                  2                0                  0\n                                                     Totals:                  4                0               0                  2                0                  0\n\nComments:\nItem II was the result of a user account being compromised on a local workstation and the deletion of data contained on the hard drive.\nItem VI was the result of the Beagle Worm infecting a limited number of workstations in the FCC environment. The vendor\ndelayed the release of the software patch, thus resulting in the infection.\nItem VII was the result of a distruption of email services due to a high number of emails being received by the Commission and the uploading of an unauthorized web\npage to an FCC external web server.\n\x0c                    APPENDIX B\n\n\n\n\nFY 2004 Federal Information Security Management Act\n         (FISMA) Independent Evaluation\n\n\n\n\nFederal Communications Commission - Office of Inspector General\n\n   FY 2004 Federal Information Security Management Act\n   (FISMA) Independent Evaluation and Risk Assessment\n             (Audit Report No. 04-AUD-06-08)\n\x0c                    APPENDIX C\n\n\n\n\nFY 2004 Federal Information Security Management Act\n          (FISMA) Independent Evaluation\n\n\n\n\nFederal Communications Commission - Office of Inspector General\n\n    FY 2003 Audit of Revenue Accounting & Management\n     Information System (RAMIS) Application Controls\n             (Audit Report No. 03-AUD-01-01)\n\x0c                    APPENDIX D\n\n\n\n\nFY 2004 Federal Information Security Management Act\n          (FISMA) Independent Evaluation\n\n\n\n\nFederal Communications Commission - Office of Inspector General\n\n   FY 2003 Federal Information Security Management Act\n   (FISMA) Independent Evaluation and Risk Assessment\n            (Audit Report No. 03-AUD-06-09)\n\x0c                    APPENDIX E\n\n\n\n\nFY 2004 Federal Information Security Management Act\n          (FISMA) Independent Evaluation\n\n\n\n\nFederal Communications Commission - Office of Inspector General\n           FY 2004 Disaster Recovery Plan Survey\n             (Audit Report No. 03-AUD-12-27)\n\x0c'